|
|
This chapter includes sample configurations. The configuration is in the text file format, with section heads in brackets. See the "Copying a Text Configuration File" section and the "Text File Formatting" section for more information about text configurations.
The following example shows the VPN 5001 concentrator at the central site with remote users and remote offices connecting over the Internet. A larger remote office includes a VPN 5001 concentrator that connects to the central site over the internet using a LAN-to-LAN tunnel. Authentication is done using a SecurID system and a VPN User list.
[ General ] Password = mypassword DeviceName = mydevice IPsecGateway = 136.5.5.2 [IP Ethernet 0] mode = Routed IPAddress = 10.1.1.1 SubnetMask = 255.255.255.0 RIPVersion = V2 [ IP Ethernet 1] mode = Routed IPAddress = 136.5.5.1 SubnetMask = 255.255.255.0 [ IKE POLICY ] Protection = MD5_DES_G1 [ Logging ] Level = Debug LogToAuxPort = On [ Domain Name Server ] PrimaryServer = 10.1.1.3 [ Time Server ] Enabled = On ServerAddress = 10.1.1.4 Adjust = -480 [ Appletalk Default ] # Default sets the value for all ports unless # otherwise specified. mode = off [ IPX Default ] mode = off [ IP Static ] 0.0.0.0 0.0.0.0 10.1.1.2 1 [ Tunnel Partner VPN 1 ] Partner = 215.67.89.2 BindTo = Ethernet 1 SharedKey = Mysecret [ IP VPN 1 ] mode = routed RIPVersion = V2 Numbered = Off [ VPN Group "SmallRemoteOffice" ] Transform = esp(3des,md5) LocalIPNet = 10.1.2.0/24 ipnet = 10.1.1.0/24 SecurIDRequired = On [ VPN Group "RemoteUsers" ] Transform = esp(3des,md5) LocalIPNet = 10.1.3.0/24 ipnet = 10.1.1.0/24 SecurIDRequired = On [ SecurID ] Enabled = On PrimAddress = SecurID.company.com BindTo = Ethernet 0 [ VPN Users ] #Use a single user name for each group to assign #the group name. AUser Config="SmallRemoteOffice" SharedKey="Amykey1" BUser Config="RemoteUsers" SharedKey="Bmykey1"
[ General ] Password = mypassword DeviceName = mydevice [IP Ethernet 0] mode = Routed IPAddress = 215.67.89.2 SubnetMask = 255.255.255.0 RIPVersion = V2 [ IP Ethernet 1 ] mode = Off [ IKE POLICY ] Protection = MD5_DES_G1 [ Logging ] Level = Debug LogToAuxPort = On [ Appletalk Default ] # Default sets the value for all ports unless # otherwise specified. mode = off [ IPX Default ] mode = off [ IP Static ] 0.0.0.0 0.0.0.0 215.67.89.1 1 [ Tunnel Partner VPN 1 ] Partner = 136.5.5.1 BindTo = Ethernet 0 SharedKey = Mysecret [ IP VPN 1 ] mode = routed RIPVersion = V2 Numbered = Off
The following example shows a LAN-to-LAN tunnel connecting Sites A and B over the Internet. Site A uses a VPN 5001 concentrator while Site B uses a Cisco IOS device that supports IPsec.
[ General ] IPSecGateway = 210.30.1.1 [ IP Ethernet 0 ] Mode = Routed SubnetMask = 255.255.255.0 IPAddress = 192.168.1.5 [ IP Ethernet 1 ] SubnetMask = 255.255.255.0 IPAddress = 210.30.1.5 Mode = Routed [ IKE Policy ] # This value must match the IOS crypto isakmp policy command for hash # (md5 or sha). IOS uses DES and G1 by default. Protection = MD5_DES_G1 [ IP Static ] 0.0.0.0 0.0.0.0 210.30.1.1 1 [ Tunnel Partner VPN 1 ] BindTo = Ethernet 1 Peer = 192.168.3.0/24 # The Transform keyword must match a transform in the IOS # crypto ipsec transform-set command. Transform = esp(md5,des) SharedKey = "letmein" Mode = Main KeyManage = Auto LocalAccess = 192.168.1.0/24 Partner = 210.30.2.5 [ IP VPN 1 ] Numbered = Off Mode = Routed
The following example shows the output of the more command. See the VPN 5002 configuration for comments about values that must match between the two devices.
version 12.1 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname cisco-3640 ! enable password letmein ! ! ! ! ! ip subnet-zero ip cef no ip domain-lookup ! ip audit notify log ip audit po max-events 100 ! ! crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key letmein address 210.30.1.5 ! ! crypto ipsec transform-set compatible esp-des esp-md5-hmac ! crypto map compatible-crypt 1 ipsec-isakmp set peer 210.30.1.5 set transform-set compatible match address 101 ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 210.30.2.5 255.255.255.0 duplex auto speed auto crypto map compatible-crypt ! interface FastEthernet0/1 ip address 192.168.3.5 255.255.255.0 duplex auto speed auto ! ip classless ip route 0.0.0.0 0.0.0.0 210.30.2.1 no ip http server ! access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 tftp-server slot0 tftp-server system ! line con 0 transport input none line aux 0 line vty 0 4 password letmein login ! end
Posted: Wed Sep 27 10:21:47 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.